AD CS: Troubleshooting Cross-forest Certificate Enrollment

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Common problems and resolutions related to using AD CS for cross-forest certificate enrollment are described.

PKI object synchronization issues

If the PKI objects are not the same in all forests, a number of problems can occur during certificate enrollment. For example, domain members may receive errors indicating certificate template version number inconsistencies.

You must ensure that the same set of PKI objects and certificate templates exist in all forests and that the attribute values on each object are the same across forests.

To compare the objects in two forests, use the command .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest <TargetForestDNS> -whatif. By using the –whatif switch, the script will display the objects that would be copied but does not copy them. If the output for an object does not include the message "Object exists, use -f to overwrite", then the object exists in <source forest> but not in <target forest>.

To display an object’s attribute values, use the DumpADObj.ps1 script included in this guide. See AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment.

To compare the attribute values of two objects in different forests, use DumpADObj.ps1 for each object. Use a program to compare the output files for the two objects. If WinDiff.exe is not included in the version of Windows you are using, see Windows XP Service Pack 2 Support Tools.

To display the PKI objects in AD DS, use the command certutil –viewstore <certificate store name>[<output file>].

  • To view root CA certificates, use cerutil –viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate?one?objectClass=certificationAuthority" [<output file>]

  • To view enterprise CA certificates in the NTAuthCertificates container, use certutil viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate" [<output file>]

  • To view enterprise CA certificates in the AIA container, use certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate?one?objectClass=certificationAuthority" [<output file>].

Public key containers or default certificate templates deleted

Problem: Default containers or certificate templates have been deleted from the Public key services container in Active Directory Domain Services (AD DS).

Resolution: , The default containers, objects and certificate templates can be installed to AD DS at any time by using the command certutil.exe –installdefaulttemplates.

Only the default containers, objects and certificate templates are installed. Custom certificate templates cannot be restored by using certutil.exe. You should also implement a backup solution for AD DS. See Active Directory Backup and Restore in Windows Server 2008 in Technet Magazine.

Certutil connection errors when connecting to a CA

Problem: When you run the commands certutil –config <computer name\ca name> -ca.cert or certutil –config <computer name\ca name> –ping, the command fails and displays an error message:

  • CertUtil: The RPC server is unavailable.


  • CertUtil: Access is denied.

Resolution: Add the user running the command to the CERTSVC_DCOM_ACCESS security group on the CA specified in <computer name\ca name>.

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

AD CS: Deploying Cross-forest Certificate Enrollment

AD CS: Managing Cross-forest Certificate Enrollment

AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment

AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment